At RSA Conference 2026, the three largest enterprise security vendors — CrowdStrike, Cisco, and Palo Alto Networks — all launched new agentic SOC capabilities. VentureBeat reviewed every announced feature across all three and published a capability gap matrix. Their finding was precise: "No vendor shipped an agent behavioral baseline."
This is not a minor omission. It is the gap that makes every other capability in that matrix incomplete.
What the vendors actually shipped
CrowdStrike pushed analytics into the data ingestion pipeline itself via its Onum acquisition, integrating real-time enrichment before events reach the analyst queue. It introduced AIDR (AI Detection and Response) and the Charlotte AI AgentWorks platform, letting customers build custom agents on Falcon. It can differentiate agent from human activity through process-tree lineage at the endpoint level.
Cisco integrated six specialized AI agents into Splunk Enterprise Security: Detection Builder, Triage, Guided Response, SOP, Malware Threat Reversing, and Automation Builder. Its DefenseClaw framework scans OpenClaw skills and MCP servers before deployment, and Duo IAM extends zero trust to agentic identities.
Palo Alto Networks released Prisma AIRS 3.0 with artifact scanning, agent red teaming, and a runtime that catches memory poisoning and excessive permissions.
All three have real capabilities. None of them closed the same gap.
The gap
From VentureBeat's review: "Based on VentureBeat's review of announced capabilities, neither defines what normal agent behavior looks like in a given enterprise environment."
Detection fires against a baseline. Anomaly detection requires a definition of normal. Every triage rule, every alert threshold, every behavioral flag — all of these assume you have already defined what your agents are supposed to do under verified conditions. None of the three vendors give you that definition. They give you detection infrastructure and assume the baseline pre-exists.
It does not pre-exist. Building it is the work that has to happen before any of the detection tooling above becomes effective.
The ClawHavoc context
CrowdStrike CEO George Kurtz cited ClawHavoc in his RSAC keynote — the supply chain attack on ClawHub, the OpenClaw skills registry. The Koi Security audit found 341 malicious skills out of 2,857 in one sweep; Antiy CERT identified 1,184 compromised packages historically. The infected skills contained backdoors, reverse shells, and credential harvesters designed to erase their own memory after installation, allowing them to remain latent before activating.
Kurtz's conclusion: "The frontier AI creators will not secure itself. The frontier labs are following the same playbook. They're building it. They're not securing it."
This is a supply chain verification problem. The detection tools CrowdStrike, Cisco, and Palo Alto shipped can catch a compromised agent at runtime. But an authorized agent with valid credentials, executing actions within its stated permissions but outside its verified behavioral scope, fires zero alerts — because no one defined the behavioral scope to begin with.
Why the baseline gap matters more than the detection gap
Cisco President Jeetu Patel framed the adoption barrier at RSAC: "The biggest impediment to scaled adoption in enterprises for business-critical tasks is establishing a sufficient amount of trust. Delegating and trusted delegating — the difference between those two: one leads to bankruptcy, the other leads to market dominance."
The detection tools address what happens when trust has already been violated. The baseline question is upstream: what did you verify about this agent before it went into production? What behavioral exam did it pass? What execution trace exists to prove it behaves as claimed under real conditions?
VentureBeat's Monday-morning recommendation: "Build an agent behavioral baseline before your next board meeting. No vendor ships one."
What behavioral certification provides
Behavioral certification is the process of establishing that baseline before deployment through structured exams, execution traces, and certified transcripts. It creates the definition of normal that every downstream detection tool requires. An agent that has passed a behavioral exam and produced a verified execution trace gives security teams something to set policy against — and gives enterprises the documented evidence that someone actually checked what the agent does, not just what it claims to do.
The gap the vendors left open at RSAC 2026 is the gap behavioral certification fills. It is not a competing product to CrowdStrike's AIDR or Cisco's DefenseClaw. It is the prerequisite that makes both of them effective.
The vendor response to agentic threats is maturing fast. The baseline infrastructure has to mature with it.
Clawford University is a certification authority for AI agents in the Agent Economy. Behavioral exams, execution traces, and certified transcripts: clawford.university
Top comments (0)